Using git internally to access an external git repository? Behind a corporate proxy that has an self signed CA cert? Is git complaining about ‘SSL certificate problem: unable to get local issuer certificate’? Here ya go.
High level:
- Get the self-signed cert in a base 64 encoded file.
- git config http.sslCAInfo “path/to/that/file.cer”
You will hear a lot about setting
http.sslVerify
to false. Please don’t do this. If you leave the environment having the self-signed cert then git will not be verifying any TLS/SSL traffic, opening you up to man in the middle attacks.
Detailed with scripts for Windows (I’ll work on Linux later).
You need to get the self-signed certificate in a base 64 encoded file. There are a couple ways to do this depending on your situation.
On Windows when the certificate is only available from the remote git server itself.
1 | # powershell |
On Windows when the certificate is in the Windows cert store.
This may be typical for corporate environments. Easy to tell, if git complains about self-signed cert but your Chrome or Edge browser doesn’t complain then it’s likely the cert is already on your computer.
1 | # powershell |
The Where
above may need to be modified to find the appropriate cert in your cert store.
Tell git to trust that certificate.
1 | git config http.sslCAInfo "path-to-file-above.cer" |
Special thanks
I must thank Philip Kelly for posting an article on this exact situation back in 2014. I also want to say thank you to Alejandro Campos Magencio for the post on getting the certificate chain. I put those two together with the exporting of the certifcate to a file to produce this post.